Call now for cybersecurity help: 888-646-1616
Josh Ablett

Microsoft365 HIPAA Compliance - 6 Reasons Why It's Great

Thinking about moving your practice to Microsoft365?  We’re big fans.  Microsoft has really invested a ton in robust security settings and HIPAA compliance.

Here are six features that show how Microsoft is serious about medical practices, HIPAA, and IT security.

1) HIPAA Business Associate agreement

Microsoft will execute a HIPAA BAA that covers Microsoft365.  Check out this FAQ right from their HIPAA and HITECH page:

mcirosoft office 365 hipaa compliance

Anyone who touches your sensitive data (PHI) is a HIPAA “Business Associate.” These Business Associates must sign an agreement promising to protect your patient data.

Microsoft365 handles sensitive emails, calendars, and documents.  They are definitely considered a Business Associate by HIPAA.

2) Two Factor Authentication

Two factor authentication is becoming much more common, and it’s not a moment too soon.  You've probably seen this on other sites like online banking.  You log in with your password, but then you need to enter a code from your phone or email to prove that it’s actually you.

We’re HUGE fans of the way that Microsoft does two-factor authentication to make Microsoft365 HIPAA compliant.  Their smartphone app is well designed.  You can approve your login right from your smartphone notification screen, like this:


This is WAY easier than entering a code or waiting for a text message to come in.  You still have the choice to do both of these, but the app is fast and easy.  And we’ve always found that the best security is the kind that doesn't slow you down.

We help customers make sure two factor authentication (and their whole practice) are set up the right way.

3) Data Loss Prevention

Microsoft has invested a lot in this area, and it shows.  Data loss prevention stops your staff from accidentally emailing or sharing PHI.  Let’s take a look at how DLP works in a HIPAA-compliant Microsoft365 setup:

a) First, set up a policy.

Look - they have a pre-made one for healthcare!

office 365 hipaa dlp policy

b) Next, say what Microsoft365 services the policy covers

Best to leave them all turned on unless you have a reason not to.

office 365 hipaa dlp services

c) Next, tell it to protect anything that goes outside your company

office 365 hipaa dlp sensitive data

d) Finally, let’s tell it what to do

In this example, it’s going to warn the user.  If the user sends more than 5 pieces of information, they’ll get blocked.

office 365 hipaa blocks sensitive data

Pretty slick, huh?

4) Their compliance is completely transparent

Like other cloud security providers, Microsoft has layers and layers of inside and outside auditors measuring their compliance and IT security measures.

Microsoft has done an amazing job giving customers visibility into the results of these audits to prove that Microsoft365 is HIPAA-compliant.

Here’s how it works:

In their admin console, you enter your location and industry:

office 365 hipaa trust and compliance

Microsoft automatically shows you compliance reports relevant to your location and industry.

We can’t show you the details because they’re covered under NDA, but these two will give you an idea.

a) Status of Audited Controls

See exactly which IT security controls were audited, and whether they passed or failed:

office 365 hipaa security audits

Compliance Reports

Similarly, you can see the actual compliance reports for each service and each audit:

office 365 hipaa compliance reports

This is excellent functionality for your auditors.

5) Configurable alerts

This is a new and impressive feature of the Microsoft365 platform.  Microsoft built a rules engine that lets you trigger alerts on certain conditions.

Here’s an example -- let’s say that you have employees that aren’t supposed to delete any files.  You can set up an alert so that you’ll get notified any time someone deletes a file, and it’s as simple as this:

office 365 hipaa alerts

There are hundreds of “Activities” available on which to alert.

6) Prevent accidental breaches

Microsoft has two cloud services for file sharing:

  • Sharepoint (for team file sharing)
  • OneDrive (for personal file backup and sharing)

It can be TOO easy to accidentally share files with the public, and that would be a HIPAA breach.

Microsoft has made it simple to disable external sharing, preventing anyone from making this mistake.

office 365 hipaa disable sharing

Still feeling a bit overwhelmed?

Get some free help!  Check out our free guide for 17 Tips to Make Microsoft365 HIPAA Compliant.

Talk to us!

Have questions or feedback?  Please share them in the comments below.

Like this article?  Share it!

Leave a Reply

Your email address will not be published. Required fields are marked *

Copyright 2021 Adelia Associates, LLC | All Rights Reserved | Sitemap